ECS Task Roles - Task Execution Role vs Task Role
What is the difference between these two roles and how do they work?
When you're creating and deploying your application as containers in a ECS cluster and would want your application to access other AWS services such as an S3 Bucket or a DynamoDB table etc. you'd need to have the specific permissions provided to the container.
In ECS, you have two types of IAM roles created during cluster creation -
ECS Task Execution Role
ECS Task Role
ECS Task Execution Role is used by the co-located ECS agent to perform actions on behalf. This is not related to the application being deployed and will not be used either.
The following are some use cases for a Task execution role:
Your task is hosted on AWS Fargate or on an external instance and:
pulls a container image from an Amazon ECR private repository
pulls a container image from an Amazon ECR private repository in a different account from the account that runs the task
sends container logs to CloudWatch Logs using the awslogs log driver
Your tasks are hosted on either AWS Fargate or Amazon EC2 instances and:
uses private registry authentication. For more information, see Private registry authentication permissions.
uses Runtime Monitoring.
the task definition references sensitive data using Secrets Manager secrets or AWS Systems Manager Parameter Store parameters.
ECS provides the managed policy AmazonECSTaskExecutionRolePolicy with the permissions for common use cases mentioned above.
This is attached to the ecsTaskExecutionRole
ECS Task role is used by the containers to perform their application specific tasks. When you are deploying multiple applications into a cluster, you will have multiple Task Roles created for each of the application based on the requirement.
For example, if one application needs an S3 access while another needs a DynamoDB table read access, you'll create two separate roles for each containers and attach them for execution.
If you have multiple task definitions or services that require IAM permissions, you should consider creating a role for each specific task definition or service with the minimum required permissions for the tasks to operate so that you can minimize the access that you provide for each task.
In a nutshell -
ECS Task Execution role - used by the co-located ECS agent to perform actions on behalf e.g. publishing logs or pulling the container image.
ECS Task role - used by the container workload(s) to perform their application specific tasks e.g. accessing an RDS database.